From: Mimi Zohar <zohar@linux.ibm.com>
To: Yeoreum Yun <yeoreum.yun@arm.com>
Cc: David Safford <david.safford@gmail.com>,
Jonathan McDowell <noodles@earth.li>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, jarkko@kernel.org, jgg@ziepe.ca,
sudeep.holla@kernel.org, maz@kernel.org, oupton@kernel.org,
joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, will@kernel.org, noodles@meta.com,
sebastianene@google.com
Subject: Re: [PATCH] ima: debugging late_initcall_sync measurements
Date: Fri, 08 May 2026 08:55:40 -0400 [thread overview]
Message-ID: <2b3782398cc17ce9d355490a0c42ebce9120a9ae.camel@linux.ibm.com> (raw)
In-Reply-To: <af2nhZyyNaP7LM3w@e129823.arm.com>
On Fri, 2026-05-08 at 10:06 +0100, Yeoreum Yun wrote:
> > The kernel selftests caused the measurements between late_initcall and
> > late_initcall_sync. After disabling all of the kernel selftests, there weren't
> > any measurements. Re-enabling the FIPS selftests on PowerVM LPAR resulted in
> > measurements. (I didn't try re-enabling any of the other selftests.)
> >
> > CONFIG_FIPS_SIGNATURE_SELFTEST=y
> > CONFIG_FIPS_SIGNATURE_SELFTEST_RSA=y
> > CONFIG_FIPS_SIGNATURE_SELFTEST_ECDSA=y
>
> Thanks for shraring this ;)
>
> I found the reason for those mesaurements. Those come from the
> request_module() and usermode-thread generates them while handling module
> loading request for crypto-x962(ecdsa-nist-p256).
> Since it's not a real kernel module,
> I confirmed file measurements between late_initcall and
> late_initcall_sync are gone for modeprobe with below change:
>
> @@ -1246,9 +1250,14 @@ EXPORT_SYMBOL_GPL(ima_measure_critical_data);
> */
> static int ima_kernel_module_request(char *kmod_name)
> {
> if (strncmp(kmod_name, "crypto-pkcs1(rsa,", 17) == 0)
> return -EINVAL;
>
> + if (IS_BUILTIN(CONFIG_CRYPTO_ECDSA) &&
> + (strncmp(kmod_name, "crypto-x962(ecdsa", 17) == 0))
> + return -EINVAL;
> +
> return 0;
> }
>
> Though this is the only request_module() call between
> late_initcall and late_initcall_sync, but I also confirmed there're
> request_modules() call before ima initalisation before "late_initcall":
>
> /*
> * NOTE: kmod_name is printed on ima_kernel_module_request()
> */
>
> // This is called from module_init(stm_core_init) -> device_initcall()
> // which is in driver/hwtracing/stm/core.c (built-in)
> [ 1.421986] ima: kmod_name: stm_p_basic
> ...
> [ 1.444900] ima: kmod_name: crypto-pkcs1(rsa,sha512)
> [ 1.444903] ima: kmod_name: crypto-pkcs1(rsa,sha512)-all
> ...
> [ 1.452029] ima: kmod_name: crypto-cbc(aes)
> [ 1.465321] ima: kmod_name: crypto-cbc(aes)-all
> ...
> [ 1.467845] Key type encrypted registered
> [ 1.467848] AppArmor: AppArmor sha256 policy hashing enabled
>
> // IMA is initailised at late_initcall level.
> [ 1.467850] ima: [init_ima_late:1336]
>
> If IMA should care request_module() from kernel before IMA init,
> I think there is no way to solve except queuing those events
> (kernel_load_data/kernel_load_post_data and open for module binary etc.)
> though it breaks "measure before use" principle since IMA couldn't
> measure at that time.
>
> But if you don't care about those things -- some events happend before
> IMA init, I think your suggestion -- controlling the init time of ima_init()
> via a Kconfig option is good and ignoring some usermodehelper request
> including request_module() before IMA initialisation upto user by that option.
Thank you for the complete analysis. The early measurements before the TPM is
initialized is a problem that needs to be addressed. As to whether the solution
will require queueing is yet to be determined. (Roberto has some thoughts on
addressing it.) This discussion makes it clear that simply delaying IMA
initialization by moving it from late_initcall to late_initcall_sync could miss
measurements. That said, exposing it as an opt-in Kconfig for those who accept
the risk is a sensible pragmatic compromise.
Mimi
next prev parent reply other threads:[~2026-05-08 12:56 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:23 [RFC PATCH v3 0/4] Fix IMA + TPM initialisation ordering issue Jonathan McDowell
2026-04-24 13:24 ` [RFC PATCH v3 1/4] lsm: Allow LSMs to register for late_initcall_sync init Jonathan McDowell
2026-04-24 13:24 ` [RFC PATCH v3 2/4] security: ima: call ima_init() again at late_initcall_sync for defered TPM Jonathan McDowell
2026-04-24 16:55 ` Yeoreum Yun
2026-04-24 20:25 ` Mimi Zohar
2026-04-25 9:10 ` Jonathan McDowell
2026-04-24 13:24 ` [RFC PATCH v3 3/4] Revert "tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in" Jonathan McDowell
2026-04-24 16:10 ` Sudeep Holla
2026-04-24 13:24 ` [RFC PATCH v3 4/4] Revert "firmware: arm_ffa: Change initcall level of ffa_init() to rootfs_initcall" Jonathan McDowell
2026-04-24 16:09 ` Sudeep Holla
2026-04-25 14:19 ` Jarkko Sakkinen
2026-05-08 18:03 ` Sudeep Holla
2026-04-29 20:01 ` [PATCH] ima: debugging late_initcall_sync measurements Mimi Zohar
2026-04-30 9:48 ` Yeoreum Yun
2026-04-30 21:39 ` Mimi Zohar
2026-04-30 22:35 ` Paul Moore
2026-05-01 1:51 ` Mimi Zohar
2026-05-03 16:46 ` Paul Moore
2026-05-04 12:02 ` Mimi Zohar
2026-05-04 20:51 ` Paul Moore
2026-05-05 21:02 ` Mimi Zohar
2026-05-05 22:55 ` Paul Moore
2026-05-06 1:51 ` Mimi Zohar
2026-05-06 2:11 ` Paul Moore
2026-05-07 2:25 ` Mimi Zohar
2026-05-07 8:10 ` Roberto Sassu
2026-05-07 14:00 ` Mimi Zohar
2026-05-01 16:52 ` David Safford
2026-05-03 11:36 ` Mimi Zohar
2026-05-03 12:42 ` Mimi Zohar
2026-05-06 5:54 ` Yeoreum Yun
2026-05-06 7:23 ` Yeoreum Yun
2026-05-06 11:47 ` Mimi Zohar
2026-05-06 13:57 ` Yeoreum Yun
2026-05-07 2:32 ` Mimi Zohar
2026-05-07 5:50 ` Yeoreum Yun
2026-05-07 11:28 ` Mimi Zohar
2026-05-07 12:41 ` Yeoreum Yun
2026-05-07 20:03 ` Yeoreum Yun
2026-05-07 21:36 ` Mimi Zohar
2026-05-08 9:06 ` Yeoreum Yun
2026-05-08 12:55 ` Mimi Zohar [this message]
2026-05-08 13:41 ` Yeoreum Yun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b3782398cc17ce9d355490a0c42ebce9120a9ae.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=catalin.marinas@arm.com \
--cc=david.safford@gmail.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maz@kernel.org \
--cc=noodles@earth.li \
--cc=noodles@meta.com \
--cc=oupton@kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=sebastianene@google.com \
--cc=serge@hallyn.com \
--cc=sudeep.holla@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yeoreum.yun@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox